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Introduction 

Chairman Barletta, Ranking Member Carson and Members of this Subcommittee, good afternoon. 
My name is Craig Fugate and I am the Administrator of the Department of Homeland Security’s 
(DHS) Federal Emergency Management Agency (FEMA). Thank you for the opportunity to 
discuss how FEMA fulfills its responsibility to lead the Nation’s response and recovery efforts for 
all hazards, to include the physical impacts of a massive power outage. 

The most effective way for the federal government to plan for and respond to the potentially life- 
threatening physical consequences of a cyber incident on our nation’s power grid is to be as 
prepared as possible to handle the consequences of any type of catastrophic event, regardless of the 
cause. Whether it’s a cyber incident, a space weather event, or a Category 5 hurricane making 
landfall, FEMA, in partnership with its federal partners, has the plans and resources in place for a 
robust federal effort to support state, local, tribal, territorial governments, the private sector, and 
citizens to appropriately respond to any hazard. 

Over the past several years, FEMA - in close coordination with our federal interagency partners, 
the public and private sectors, and other key stakeholders - has made important progress in 
addressing ways in which we respond to, recover from, and mitigate all hazards, including 
malicious cyber activity and the physical consequences of cyber incidents. 

In my testimony today, I will highlight the overarching catastrophic planning frameworks that 
guide FEMA’s response to large-scale complex incidents; current efforts underway to supplement 
all-hazards plans to specifically address cyber incident considerations; and ways in which FEMA 
and other critical stakeholders exercise our ability to respond to catastrophic events, including the 
physical impacts of cyber incidents. 

Overview of Planning and Catastrophic Planning Efforts 

Response Planning 

FEMA’s Planning and Exercise Division is responsible for a number of planning actions, including 
developing and coordinating joint state and federal catastrophic plans; leading the development 
and alignment of regional-to-national-level interagency catastrophic planning efforts; supporting 
regional planning initiatives to align all catastrophic planning; and the overall development and 
delivery of the updated Power Outage Incident Annex, which I will discuss later in this testimony. 

Additionally, we coordinate closely with our federal partners on other preparation efforts, 
including the development of pre-scripted mission assignments, interagency agreements, and 
advanced contracts for commodities. These partnerships are essential to FEMA’s ability to carry 
out its mission by leveraging the full capacity of the federal government to prepare for, protect 
against, respond to, recover from and mitigate catastrophic incidents, including cyber incidents. 

Presidential Policy Directive 8: National Preparedness 

Recognizing that this nation’s preparedness is a shared responsibility across all sectors of our 
society, on March 30, 2011, the President signed Presidential Policy Directive (PPD)-8: National 
Preparedness. PPD-8 aims to strengthen the security and resilience of this nation through 
systematic preparation for the threats and hazards that pose the greatest risk to national security. 
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PPD-8 called for a National Preparedness Goal to guide and align the nation’s preparedness efforts 
at all levels. The National Preparedness Goal is: “A secure and resilient nation with the 
capabilities required across the whole community to prevent, protect against, mitigate, respond to, 
and recover from the threats and hazards that pose the greatest risk.” The Goal is also the 
cornerstone for the implementation of PPD-8. 

The President’s issuance of PPD-8 significantly aided the alignment and integration of operational 
planning under a single National Preparedness System. The five mission frameworks - 
(Prevention, Protection, Mitigation, Response, and Recovery) - set forth the policy, roles and 
responsibilities of the community of partners across Federal, state, local, tribal and territorial 
governments, non-governmental organizations, and individual citizens. 

National Response Framework 

The National Response Framework (NRF) is an essential component of the National Preparedness 
System mandated in PPD-8. It is a guide to how the nation responds to all types of disasters and 
emergencies. It is built on scalable, flexible, and adaptable concepts identified in the National 
Incident Management System (NIMS) to align key roles and responsibilities across the nation. 

The NRF describes specific authorities and best practices for managing incidents that range from 
the serious, but purely local, to large-scale terrorist attacks or catastrophic natural disasters. The 
NRF defines a catastrophic incident as “any natural or manmade incident, including terrorism that 
results in extraordinary levels of mass casualties, damage, or disruption severely affecting the 
population, infrastructure, environment, economy, national morale, or government functions.” 
Furthermore, the NRF describes structures for implementing a nationwide response policy and 
operational coordination for all types of domestic incidents—underscoring the importance of how 
risk informs response planning. The Framework is always in effect and applies to all catastrophic 
incidents, including the physical impacts of malicious cyber activity. 

The NRF organizes the implementation of federal response capabilities and expertise into 14 
Emergency Support Functions (ESFs) to provide the planning, support, resources, program 
implementation, and emergency services needed during a disaster. The ESFs, coordinated by 
FEMA, serve as the primary operational-level mechanisms in support of state, local, tribal, and 
territorial efforts. During a cyber incident that results in physical impacts, most of the ESFs would 
play some role. For example, ESF #6: Mass Care would coordinate the delivery of federal mass 
care, emergency assistance, housing, and human services, while ESF #12: Energy would facilitate 
the restoration of damaged energy systems and components for incidents requiring a coordinated 
Federal response. Federal departments and agencies provide substantial disaster response 
assistance in their areas of expertise, as well as operational support when mission assigned to 
support the disaster response. 

Revision of the National Response Framework (NRF) 

Originally published in 2008 to replace the National Response Plan, the NRF was revised in 2013, 
to focus on how the NRF fits into the National Preparedness System called for in PPD-8. The NRF 
was refreshed again in 2015 to better integrate with the other mission areas. For example, the 
Framework describes in greater detail how “non-Stafford incidents” can employ and utilize the 
NRF to help organize, guide, and streamline incident response. The NRF is intended to be a 
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strategic document, with tactical planning and concept of operations content reserved for the 
Federal Interagency Operational Plans. 

Federal Interagency Operations Plans (FIOPs) 

The FIOPs build upon the National Planning Frameworks (including the NRF highlighted above), 
which set the strategy and doctrine for how the community partners at all levels build, sustain, and 
deliver the core capabilities identified in the National Preparedness Goal. The Response FIOPs is 
structured to address the “maximum of maximum” planning factors for the nation or any given 
region while being flexible and adaptable for the full range of threats that face the nation. A single 
all-hazard FIOP serves to operationalize the roles and responsibilities for each mission framework 
(Prevention, Protection, Mitigation, Response, and Recovery). This all-hazards approach includes 
events that would result from a cyber incident, including effects on infrastructure and individuals. 
The single operational plan for each mission framework allows for increased coordination across 
responders, including coordinated use and maintenance. 

Incident Specific Annexes 

The Incident Annexes to the FIOP address specific contingency or hazard situations or an element 
of an incident requiring specialized application of the general response concept of operations. They 
describe coordinating structures, in addition to the ESFs, that may be used to deliver core 
capabilities and support response missions that are unique to a specific type of incident. Incident 
annexes also describe specialized response teams and resources, incident-specific roles and 
responsibilities, other scenario-specific considerations and an execution schedule to guide the 
employment and deployment of assets. Incident Annexes currently under development include: 

• Oil and Chemical Incident; 

• Nuclear/Radiological Incident; 

• Biological Incident; 

• Food and Agriculture Incident; 

• Mass Evacuation Incident; and 

• Power Outage Incident. 

Power Outage Incident Annex 

FEMA is developing a new Power Outage Incident Annex to the Response and Recovery FIOPs, 
which will address the response and recovery to a mass or long-term power outage regardless of 
cause, but including the impacts of a cyber incident. 

This annex is nearing completion of an operational draft in partnership with the Department of 
Energy, recognizing their role as the ESF #12 lead agency and as the Energy Sector Specific 
Agency (SSA), and with the Sector Coordinating Councils (SCCs) for critical infrastructure. This 
annex will address a serious threat: a significant disruption to our nation’s energy grid-whether 
caused by a natural disaster, cyber or manmade event. FEMA expects that this incident annex will 
also be a valuable tool for other threats that may impact our energy infrastructure, such as 
significant space weather. We anticipate this annex will be released later this year. 

In the coming years FEMA will expand this national planning effort to include joint federal-state 
plans conducted at our FEMA Regions to increase fidelity into our plans and expand our 
partnership to local and regional power providers. 
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FEMA will maintain the final versions of the annex via FEMA’s interagency consequence 
management system and intranet websites, and will notify Congress and other key stakeholders 
(including the public and private sectors) when they are completed. 

While we plan at the federal level, we are also developing tools to support planning across the 
whole community. FEMA is currently leading the development of cybersecurity resource typing 
definitions and job title position qualifications in collaboration with DHS’ National Protection and 
Programs Directorate (NPPD), specifically the National Cybersecurity and Communications 
Integration Center (NCCIC). This will establish a common language for defining the capabilities 
of resources used to respond to cyber incidents via the NIMS. Also, FEMA will partner with 
relevant cyber subject matter experts across the federal government to support eligible jurisdictions 
on improving cybersecurity planning and increasing their ability to maintain cyber-dependent 
essential functions following a catastrophic event. 

National Level Exercise (NLE) 2012 

Many of the efforts I have previously described build on the lessons learned from our exercise 
program. NLE 2012 directly examined the nation’s ability to coordinate and implement 
prevention, preparedness, response, and recovery plans and capabilities pertaining to a series of 
significant cyber events. The scenario of this major exercise was based on a nation state which 
sought to disrupt Critical Infrastructure and Key Resources, logistics systems, and communications 
capabilities of U.S. federal agencies as a way to erode the public’s trust in its security and safety, 
and cause impacts to the U.S. economy. This scenario emphasized the shared responsibility among 
all levels of government, the private sector, and the international community to secure cyber 
networks and coordinate response and recovery actions. The exercise tested our national response 
plans and procedures, including the NRF. 

The exercise: 

• Evaluated government (federal, state, local, tribal, territorial, and international) 
roles and responsibilities in coordinating national cyber response efforts and their 
nexus with physical response efforts, including allocation of resources; 

• Examined the ability to share information across all levels of government and with 
the private sector as well as the general public, to create and maintain cyber 
incident situational awareness, and coordinate response and recovery efforts; and 

• Assessed key decision points and decision making in a significant cyber event. 

As described in FEMA’s NLE 2012 Quick Look Report, this exercise demonstrated the critical 
importance of coordinating national and international response efforts as well as integrating the 
private sector into decision-making. We continue to use lessons learned out of this and other 
exercises as we update and validate our response plans. 

Conclusion 

Our nation will continue to face significant and increasing malicious cyber activity. FEMA, 
working alongside our federal interagency partners, the public and private sectors, and other 
critical stakeholders, continues to lean forward to be able to respond to and recover from these ever 
growing and sophisticated threats. 
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Responding to events like these is a shared responsibility nationwide, including the federal 
government, states, local communities, businesses and individual families themselves. That is why 
we have partnered with communities across the nation to provide vital resources to make sure 
Americans know how to prepare for the potential physical consequences of a cyber incident like a 
major power failure—building understanding of what steps to take before, during, and after such 
an event. 

As outlined in my testimony today, we remain steadfast and earnestly committed in our efforts to 
continue building robust planning capabilities and partnerships that strengthen our resilience to 
these types of incidents. 

Chairman Barletta, and members of this subcommittee, thank you again for the opportunity to 
appear before you today to discuss FEMA’s efforts in managing the physical consequences 
resulting from cyber incidents. 

I look forward to your questions. 
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